Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you lose your phone you may also have lost access to your email, if you used a passkey to sign into that.


If you lose your phone and you only have your phone to access your email, then you also have lost access to your password if you're using a strong password and a password manager.

Or do you remember a 20+ random character string for each site and thus do not need a password manager?


My email and password manager are actually the two unique passwords I do remember (the rest are in my password manager). So losing my phone does not mean I lose access to them. I _have_ actually lost all my electronic devices in a house fire, so this is from experience.

2FA does make this more complicated and in my case my password manager did not have 2FA, but TOTP with backup codes does let you store those backup codes somewhere else, while none of the passkey implementations I have seen (Fastmail, Amazon and Toggl) have an equivalent to the backup codes for TOTP. The fact that they still support password auth is probably their failsafe here, but this assumes that password auth continues to exist, which is contrary to to the goals of passkeys.


>I _have_ actually lost all my electronic devices in a house fire, so this is from experience.

I can't speak to other passkey managers, but both Google and Apple have pretty thorough account recovery flows that work even if you lose 100% of your devices.


Google regularly asks me for annoying things even when I have all my credentials. What’s their account recovery flow? I’m not sure I trust it to be good.


I just had to go through it for a friend who had forgotten their Google password. It was good. Tbh it would be more surprising if it was bad since they have millions of users. So the amount of people who go through that flow every day is probably very high in terms of absolutes numbers, even if it’s only a small percentage of users. And Google is known to do a shitload of A/B testing anytime they tweak their UI/UX.

So yeah I think it would be way more surprising to me if this particular flow was bad. If anything it’s likely to be one of their _best_ flows, given their scale and how critical of a flow it is.

And given that they love to track users to serve them ads, it’s also very much in their (capitalist) interest to make sure users don’t get locked out of their accounts.


That has not been my experience with Google, as detailed in the other time you sent this reply.


That’s why you don’t create a passkey for the service that manages your credentials.

Use a pair of yubikeys.

BTW, all major email providers have a flow to allow you to recover access to your account.

When you enable passkeys it doesn’t suddenly deactivate every other way of logging in.


That’s definitely not the position most passkey proponents take.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: